Professional Documents
Culture Documents
Information Governance
Policy: NHS South Midlands
Recommendations from the NHS Information
Governance Working Party
1
IMPORTANT NOTE
The following report has been produced in response to a review of
all major policy documents inherited from the NHS South Midlands
merger.
This report aims to provide an appraisal of the Information
Governance issues important to the NHS South Midlands in order
to help guide the successful adoption of new policy measures,
following the failures of the existing Information Governance
policy, highlighted by a critical report by the Healthcare
Commission in 2008. The eight principle areas addressed in the
report include:
Information security.
It is a group report which all the above areas. Since I do not have
the consent of the rest members of the group I cannot upload the
full report. I can only upload the part of the report which I have
produced.
2
TABLE OF CONTENTS
3
2.1 Introduction
In the recent years, especially for the National Health Services, the issue
regarding the privacy of personal data is more imperative than never.
Massive information can be stored in small devices and the patients’
personal data could be exposed to unwanted individuals or organizations.
Therefore, the Data Protection Act and the people who work for the NHS
should ensure that the patients’ personal data will remain within the NHS.
These incidents are only indicative. However the NHS South Midlands has
been getting all the necessary technological, ethical precautions in order
to ensure that the patients’ personal data will remain within the
organization.
4
2.2. Definitions-rights
2.2.1 Data subject
For the NHS South Midlands there is a clear definition on what a data
subject is. According to the Data Protection Act (DPA), quoted by the
Information Commissioner’s Office – ICO- (2009 p.26) :
“Data subject means an individual who is the subject of the personal data.
The data subject is the individual whom particular personal data is about.
The Act does not count as a data subject an individual who has died or
who cannot be identified or distinguished from others.”
It is of vital importance for the NHS South Midlands to remind that the
rights of the data subject are fully respected according to Pedley (2003
p.65-66):
5
2.3 Personal data
Personal data means data which relate to a living individual who can be
identified:
i. “from those data
ii. or, from those data and other information which is in the
possession of, or it is likely to come into the possession of, the
data controller and includes any expression of opinion about the
individual and any indication of the intentions of the data
controller or any other person in respect of the individual”
(Great Britain. Information Commissioner’s Office 2009 p.22)
It is essential to mentioned, regarding personal data, that the DPA is
governed by eight fundamental principles, which should be respected by
the South Midlands:
6
2.4 Personal sensitive data
It is important for the NHS South Midlands to elucidate that apart from
personal data, there is also the term “personal sensitive data”. According
to the DPA, quoted by the Information Commissioner’s Office (2009,
p.23), sensitive personal data means personal data consisting of
information as to-
• “The racial or ethnic origin of the data subject
• His/her political opinions
• His/her religious beliefs of a similar nature
• Whether he is a member of a trade union (within the meaning of
Trade Union and Labor Relations (Consolidation act 1998)
• His/her physical or mental health or condition
• His/her sexual life
• The commission or alleged commission by himself of any offense, or
• Any proceedings for any offense committed or alleged to have been
committed by him/her, the disposal of such proceedings or the
sentence of any court in such proceedings.”
Based on the aforementioned the NHS South Midlands should have as its
top priority to secure and maintain these principles that govern the notion
of “sensitive personal data”.
7
2.5 Data controller
Within the confines of NHS South Midlands, the presence of the data
controller should be vital for ensuring the privacy of data.
“The data controller is the person who (either alone or jointly or in
common with other persons) determined the purposes for which and the
manner in which any personal data are, or are to be, processed” ( Great
Britain. Information Commissioner’s Office 2009 p.26)
8
2.6 Data processor
For the NHS South Midlands in strong connection with the data controller
should be the data processor.
“Data processor is the person (other than an employee of the data
controller) who processes the data on behalf of the data controller” (Great
Britain. Information Commissioner’s Office 2009 p.27).
The conditions which should be met must be followed explicitly by the
data processor, whenever personal data are being processed. These
conditions are:
• “The individual who the personal data is about has consented to the
processing
• The processing is necessary
-in relation to a contract which the individual has entered onto
-because the individual has asked for something to be done so they
can enter into a contract
• The processing is necessary to protect the individual’s “vital
interests”. This condition only applies in cases of life and death,
such as where an individual’s medical history is disclosed hospital’s
A+E department treating them after a serious road accident.
• The process is necessary for administering justice, or for exerting
statutory, governmental or other public functions.
• The processing is in accordance with the “legitimate interests”
condition” (Great Britain. Information Commissioner Office 2009
p.110)
9
2.7 Patient privacy and patient-
doctor confidentiality
A crucial field for any NHS organization is privacy. Not only privacy of
personal data but also patient privacy. It should be taken under serious
consideration that the patient privacy is of essence. The case in point, the
NHS South Midlands should have as its duty “to treat to the patient with
respect and autonomy protecting your personal data and your physical
person from privacy invasion”. (YourPrivacy 2010)
The NHS has a duty to ensure to the patient: single-sex accommodation,
privacy on the ward, and to protect the patient dignity.
10
2.8 Centralization of medical records
and medical records (privacy)
The NHS South Midlands plans, as well as the other NHS organizations,
within the confines of patient’s privacy to centralize all patient records.
“This involves the gradual transfer of every medical record to an electronic
database, which will be accessible to healthcare professionals all over the
country “(YourPrivacy 2010).
“Patients have a right to see all records held on them. However medical
professionals are entitled to withhold your medical records under certain
conditions “(YourPrivacy 2010)
[For more details please go the chapter Patient Confidentiality and Access
to Health Records]
11
2.9 Genetic privacy
Regarding genetic privacy the NHS South Midlands respects the genetic
privacy of its own patients.
The Department of Health (2010) :
“Takes a firm stance on patient privacy. Medical professionals will always
put the patient first, respecting their right to privacy. If you wish to keep
your condition secret from family members, you have every right to do so.
If you do not want your medical information used for healthcare research,
or even passed on to other professionals, your wishes will be respected.
According to the Department of Health there are some exceptions that the
disclosure of medical information is acceptable, legal whether the patient
is dead or alive, under the condition that it meets the requirements of the
DPA”.
“Your employer has a right to ask for genetic information, but the DPA
insists that she/he has a reason for doing so. Any medical information,
including hereditary and long –term conditions must be stored in a
separate place and not made available. Insurers too, will ask intimate
questions about your medical history. They are bound by the same rules
and must not used your information except for research purposes (to
improve their own services)”. (Your Privacy 2010)
12
2.10 Privacy and data protection
related to the NHS South Midlands’
website
13
2.11 Information collection
14
2.12 Collection and use of technical
information
2.12.1 Cookies
“Cookie is a data file written to your hard drive by a web server that
identifies you to a site and it helps a website “remember” who you are
and set preferences accordingly when you return” (PC World 2000).
Regarding the log files the NHS South Midlands should ensure that:
“Every time the website is accessed an entry is made in the web server’s
log file. This tells us broadly where an access is coming from, when it was
made, which file was requested and whether the request was successful
or not. It usually does not allow us to identify individual users. The data is
used to assess usage levels and spot technical problems (such as broken
pages or web server errors or hack attempts).” (Great Britain. National
Health Service Institute for Innovation and Improvement 2010)
15
2.13 Notification
In case that the data subject wishes to have access his/her personal data
then the NHS South Midlands should comply. According to the DPA,
quoted by Pedley (2003 p.61):
The DPA says that those who record and use personal information must
notify the ICO that they process personal data. A register of data
controllers is available on the website: www.dpr.gov.uk . Each entry
consists of:
• “The data controller’s name and address
• A description of the personal data being processed
• The categories of data subject to which they relate
• Data classes such as employment details
• A description of the purpose(s) for which data is or may be
processed
• A description of recipient(s) to whom the data will be disclosed
• The name of countries or territories outside the EEA (European
Economic Area) to which the data is or might be transferred either
directly or indirectly by the data controller. Those who process
personal data must provide access to the data that they hold on a
person in order that the data subject can check and correct their
records and prevent certain types of processing.”
16
REFERENCES/BIBLIOGRAPHY
17
18